Remember, the file is completely under the control of the user. If that was allowed, the user could create a root-owned binary inside the image (eg a copy of /bin/sh) and flip the setuid bit on it, mount the filesystem and run the now-setuid binary. Or create a device node for /dev/kmem and go rifling through kernel memory. Or create a device node for the root filesystem then edit /etc/passwd via the raw device. And probably other things I've overlooked.

In unrelated news, one of the reported bugs OpenSSH bugs turned out to be an OpenSSL bug. It took the OpenSSL folks about 15 minutes to accept the bug and apply my patch. I love it when it works like that.